Microsoft Patch Tuesday

Rapid7’s senior security researcher Greg Wiseman comments on this month’s Microsoft patches, which were released yesterday:

This month sees another spate of critical fixes from Microsoft, including patches for a number of Remote Code Execution (RCE) vulnerabilities. Two of these are already known to be exploited in the wild (CVE-2017-8543 and CVE-2017-8464). Today’s patches are so crucial that Microsoft has once again released fixes for end-of-life operating systems, citing “the elevated risk for destructive cyber attacks at this time” and explicitly calling out the threat of nation-state actors. Updates are available for Windows XP, Windows Vista, Windows 8, and Windows Server 2003. They include fixes for MS17-013 (a Security Bulletin from April), as well as 20 CVEs with impact ranging across RCE, information disclosure, and elevation of privilege. Microsoft has not yet published details about some of these CVEs.

This month’s updates aren’t just about severity, but quantity as well, with 94 separate flaws being patched (compared to 66 last month, and 44 in April). This doesn’t even include the nine critical Adobe Flash Player RCE vulnerabilities that are also being fixed today and are rated “Priority 1” (meaning there is a high risk of vulnerable systems being targeted in the wild).

Most of the vulnerabilities are for Windows, split evenly between desktop and server. All of the Windows CVEs have a severity of Important or Critical, with the bulk of impact being information disclosure, followed by RCE, privilege escalation, and some security feature bypass vulnerabilities in newer versions of Windows (8.1, 10, Server 2012 R2, and Server 2016).

Microsoft Office and Office-related software (e.g. SharePoint, Lync/Skype for Business, and Office Web Apps) also have plenty of vulnerabilities being addressed this month, with thirteen information disclosure vulnerabilities and twelve RCEs between them all. In addition to various RCE vulnerabilities for SharePoint Server being addressed, Microsoft has also released a “defense in depth” update for SharePoint Enterprise Server 2013 SP1 and Enterprise Server 2016 that harden the products, without addressing specific vulnerabilities.